Malware analysis

Powerful Skygofree Spyware Was Already Reported and Analyzed In 2017

Pierluigi Paganini
January 19, 2018 by
Pierluigi Paganini

The Skygofree spyware analyzed by Kaspersky today was first spotted by the researcher Lukas Stefanko and the first analysis was published last year by the experts of CSE Cybsec ZLab.

The Skygofree spyware

A few days ago, malware researchers at Kaspersky Lab had disclosed the discovery of a new strain of mobile malware; it is powerful Android spyware dubbed Skygofree.

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Skygofree is Android spyware that could be used to gain full control of infected devices remotely, the features it implements make this threat very useful in targeted attacks.

The analysis conducted by Kaspersky revealed that Skygofree was used against many users for the past four years, most of them in Italy.

It is important to clarify that the name Skygofree is not linked to Sky Go, which is the subsidiary of Sky and does not affect its services.

The malware has been in the wild at least since 2014, and it was improved several times over the years.

"At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014," reads the analysis published by Kaspersky.

"Since then, the implant's functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals."

Is this the first time that malware researchers have discovered this threat?

The answer is negative, the malware was first observed by the security researcher at ESET Lukas Stefanko, and a first detailed analysis of the Skygofree spyware was published by the experts at the CSE Cybsec ZLab.

The researchers at the ZLab published in November a report titled "Malware Analysis Report: Fake 3MobileUpdater" after obtained a sample of the malware, immediately emerged that the malicious code was developed for surveillance purposes by an Italian firm, likely operating for law enforcement.

According to Kaspersky, Skygofree has being distributed through fake web pages mimicking leading mobile network operators. The analysis of the domains used in the attack revealed they were registered since 2015.

The most recently observed domain was registered on October 31, 2017, according to Kaspersky telemetry data, the malicious code was used against several individuals, the victims were exclusively in Italy.

The team of researchers at CSE CybSec ZLab analyzed in November a fake 3 Mobile Updater that was used pose itself as a legitimate application of the Italian Telco company, TRE Italia.

"The most classic and efficient method used to lure the users is to believe that the application does something good. This is just what 3 Mobile Updater does. In fact, this malicious Android application looks like a legitimate app used to retrieve mobile system update, and it improperly uses the logo of the notorious Italian Telco company, TRE Italia, in order to trick victims into trusting it," reads the report published by CSE CybSec.

Figure 1 - 3 Mobile Updater analyzed by CSECybsec in 2016

The analysis conducted by Kaspersky suggests the involvement of an Italian firm due to the presence in the code of strings in Italian.

"As can be seen from the comparison, there are similar strings and also a unique comment in Italian, so it looks like the attackers created this exploit payload based on android-rooting-tools project source code," states Kaspersky.

The CSE CybSec researchers shared the same conclusion, below a portion of the code analyzed by the members of the ZLab.

"Moreover, both in the logcat messages and in the code, the malware writers used the Italian language. So, we can say with high confidence that this malicious app has been written by an Italian firm that intended to target users of the Italian telco company Tre," CSE wrote in the analysis.

The artifacts analyzed by Kaspersky in the malware code and information gathered on the control infrastructure suggest the developer of the Skygofree malware is an Italian IT company that works for surveillance solutions.

Kaspersky Lab has not confirmed the name of the Italian company behind this spyware, we at the CSE CybSec ZLab opted for the same decision in October due to the possible involvement of law enforcement or intelligence Agencies.

Unfortunately, the OPsec implemented by the firm is very poor. The name of the company is present in multiple references to the code, and the domains used as C&C servers were registered by the Italian tech firm.

"Although the security firm has not confirmed the name of the Italian company behind this spyware, it found multiple references to Rome-based technology company 'Negg' in the spyware's code. Negg is also specialized in developing and trading legal hacking tools," states the blog post published by THN.

Once installed, Skygofree hides its icon and starts background services to conceal its malicious actions from the victim, one interesting feature implemented by the malicious code prevents its services from being killed.

"Interestingly, a self-protection feature was implemented in almost every service. Since in Android 8.0 (SDK API 26) the system is able to kill idle services, this code raises a fake update notification to prevent it," continues Kaspersky.

Kaspersky published an interesting analysis of the Skygofree spyware, according to the firm the malicious code was enhanced since October implementing a sophisticated multi-stage attack and using a reverse shell payload.

The malicious code includes multiple exploits to escalate privileges for root access used by attackers to execute sophisticated payloads, including a shellcode used to spy on popular applications such as Facebook, WhatsApp, Line, and Viber.

The same spying abilities were implemented in the app analyzed at the CSE CybSec.

"The capabilities of this malicious app are enormous and include the information gathering from various sources, including
the most popular social apps, including Whatsapp, Telegram, Skype, Instagram, Snapchat. It is able to steal a picture from the gallery, SMS and calls registry apps. All this data is first stored in a local database, created by the malicious app, and later it is sent to the C2C," reads the preliminary analysis published on SecurityAffairs.

"There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features," the researchers said.

Skygofree implements the main surveillance features; it can take pictures and videos remotely, monitor SMSs, call records and calendar events, of course, it also able to gather target' location and access any information stored on the mobile.

Skygofree also can record audio via the microphone, an interesting feature implemented by the spyware allows the attacker to force the victim's device to connect to compromised Wi-Fi networks it controls to conduct man-in-the-middle attacks.

Kaspersky also found a variant of Skygofree targeting Windows users, a circumstance that suggests the Italian firm is also targeting machines running Windows OS.

The best way to prevent yourself from being a victim is to avoid downloading apps via third-party websites, app stores or links provided in SMS messages or emails.

The journalist Thomas-Fox from Forbes magazine wrote an interesting article about Skygofree some hours after the publishing of the Kaspersky report. Thomas searched for archived versions of the website used by the Italian firm Negg and discovered that the company was looking for software engineers with experience in Android and iOS development.

It was requested to the candidates the "knowledge of the techniques of dynamic and static analysis of malware."

"That chimed with the Kaspersky research, which found only a few infections, all within Italy. The Russian antivirus provider concluded the software, which it dubbed Skygofree, was one of the most powerful seen aimed at Android operating systems," wrote Thomas-Fox.

"The surveillance tool was being delivered via a handful of websites, including fake network update pages from different telecoms giants, including Three and Vodafone, all registered in 2015. "

I asked my colleague Dr. Antonio Pirozzi, Director of the CSE CybSec ZLab, to compare the stubs of code shared by Kaspersky with the ones related to the code we analyzed back in November.

This is what has emerged from the comparison.

  • These classes are identical:

  • The spyware CSE Cybsec analyzed did not contain the Android exploits found by Kaspersky, as well as the reverse shell PRISM and the busy box.
  • However, also the class used for parsing are similar;

Moreover, the DNS used are the same;

The analysis published by Kaspersky included Indicators of Compromise, including the URL of the C&C (url[.] plus) which was the same of the Spyware analyzed by CSE CybSec.

"Definitely we have a lot of evidences inside the spy tool that link the threat to the Italian firm. The Italian company's name is everywhere in the code, and the whois records of the C&C are registered by the same firm. This lets me think that someone was protecting these hackers. We are uncovering a Pandora Vase," added Dr. Antonio Pirozzi.


Many parts of the code are identical; both source code includes strings in Italian and the reference to the Italian firm are the same. The version analyzed by Kaspersky is a new release of the malware first analyzed by CSE CybSec ZLab.

Kaspersky also shared the URL from which the spyware is downloaded, and one of them was related to the version we analyzed (Fake 3 mobile updater).

The two version of the malware shared numerous classes, C&C server, Whois records and many other info. The sample analyzed by CSE was probably still under development.

The discovery of the tool and the simplicity in attributing it to a specific actor is disconcerting and raises serious questions about the way surveillance activity must be conducted. For an intelligence agency was not complicated to identify the surveillance activity conducted using software like Skygofree and variously interfere with the operation.


Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.